diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-07-17 13:50:45 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-07-17 16:47:50 -0700 |
commit | a28d0e873d2899bd750ae495f84fe9c1a2f53809 (patch) | |
tree | c298871f2dfa4dc8f93e0f2928aa844b1cda20f1 /drivers/net/wan | |
parent | cc25eaae238ddd693aa5eaa73e565d8ff4915f6e (diff) | |
download | op-kernel-dev-a28d0e873d2899bd750ae495f84fe9c1a2f53809.zip op-kernel-dev-a28d0e873d2899bd750ae495f84fe9c1a2f53809.tar.gz |
wan/x25_asy: integer overflow in x25_asy_change_mtu()
If "newmtu * 2 + 4" is too large then it can cause an integer overflow
leading to memory corruption. Eric Dumazet suggests that 65534 is a
reasonable upper limit.
Btw, "newmtu" is not allowed to be a negative number because of the
check in dev_set_mtu(), so that's ok.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/wan')
-rw-r--r-- | drivers/net/wan/x25_asy.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c index 5895f19..fa9fdfa 100644 --- a/drivers/net/wan/x25_asy.c +++ b/drivers/net/wan/x25_asy.c @@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) { struct x25_asy *sl = netdev_priv(dev); unsigned char *xbuff, *rbuff; - int len = 2 * newmtu; + int len; + if (newmtu > 65534) + return -EINVAL; + + len = 2 * newmtu; xbuff = kmalloc(len + 4, GFP_ATOMIC); rbuff = kmalloc(len + 4, GFP_ATOMIC); |